Closed mpchadwick closed 8 years ago
There may also be some value in using rpm
for versions on rpm-based systems like RHEL/CentOS.
rpm -q httpd24u || echo "Not there"
httpd24u-2.4.18-1.ius.el6.x86_64
rpm -q httpd || echo "Not there"
package httpd is not installed Not there
rpm --quiet -q httpd24u && echo --data-urlencode "apacheVersion=$(rpm -q httpd24u --queryformat '%{version}-%{release}')"
--data-urlencode apacheVersion=2.4.18-1.ius.el6
echo --data-urlencode "rpmVersions=$(rpm -qa --queryformat '%{name}-%{version}-%{release},')"
--data-urlencode rpmVersions=gpg-pubkey-0608b895-4bd22942,tzdata-2015g-2.el6,rpmforge-release-0.5.3-1.el6.rf,dmraid-1.0.0.rc16-11.el6........
There may also be some value in using rpm for versions on rpm-based systems like RHEL/CentOS.
Hmm, doing a bit of research there's also dpkg-query
for e.g. Ubuntu systems
$ vagrant@homestead:~$ dpkg-query -W -f='${Version}' nginx
1.9.11-0+trusty0
Can you make a strong argument for why it's better to go through a package manager, which can vary from OS to OS, than to execute the binary directly, which (hopefully) should not change regardless of OS?
Yes. Because packagers have a nasty habit of backporting important fixes.
For example, OpenSSL 1.0.1t is the latest version of the 1.0.1 line of OpenSSL (ignoring 1.0.2+.) However, CentOS 6 servers all have OpenSSL 1.0.1e. Doesn't that mean we're missing important security patches, since 1.0.1t and etc. were all security releases?
Actually, no. The latest version of OpenSSL for CentOS 6 is 1.0.1e-42. If you were running 1.0.1e-30, for example, you might definitely be missing important security patches. But if you're on 1.0.1e-42, you're okay.
In either case, openssl version
will just say 1.0.1e-fips
. Packagers never bother to update versions in binaries so people can tell they are patched. You have to use the package system if you want to know if you are patched or not.
(packagers also have opinions, and may apply patches that mainline thinks are a bad idea or could break things - saying this from personal experience as mainline. Therefore "trusty" and "el6" could be different as well, and have bugs or security holes that are different from each other, depending on which packagers trusted mainline and which decided they knew more about the software than its developers do.)
@toddbc You make very good points. Thank you. I'll update and resolve version information through the package managers (either dpkg
or rpm
).
@toddbc updated based on your feedback
Cool, looks good - just one note about Apache version detection.